Stuxnet and now Flame: The US and Israel Continuing Cyber War against Iran

Last two weeks have brought out that cyber war is no longer in the realm ofscience fiction, but very much a part of what is happening here and now. First,we had David Sanger in New York Times confirming what was widely held – thatthe Stuxnet virus that had damaged a number of centrifuges in the Natanzuranium enrichment facility, was the joint product of the US and Israeli teams.What is new in David Sanger’s report is that these attacks – codenamed OlympicGames – started under George Bush and was expanded under Barack Obama. Notonly did they continue, they were directly overseen by the White House. Thesecond is the discovery of another virus – Flame – that is also directed againstIran and has been active from at least 2009.

Why should the discovery of a new kind of virus be of such concern whencomputer viruses have been around for so long? This is because what a nationstate can do if it get into the act of creating viruses is qualitatively differentfrom what few hackers (or crackers) can do. What is at best a nuisance and atworst a loss of some data in infected machines, can transform into a completebreak-down of basic infrastructure of a country. A nation states has the ability to target computers that control vital infrastructure and cause catastrophicfailures of the systems. Even when a specific equipment or a country istargeted, as Stuxnet has shown, such viruses can escape beyond their targetsand pose a threat to other equipment and other countries as well.


Consider the case of a nuclear reactor, where its core is controlled bycomputers. This is how current generation of nuclear power plants arecontrolled. If the control system is known, it is possible to infect the system in away that may cause a core melt-down. After Fukushima, can anybody doubt thatsuch an act would be an act of war? On par with a physical attack on the nuclearreactor?


If we look at how the world functions, it is not just financial systems and otherinformation that computers handle. The power grid, the controls of hazardousplants, the telecommunication networks, air traffic controls, are all handled bycomputers and software. Even the lowly washing machine has embeddedcontrols on a chip which has software on it. If countries want to play games withsuch software and computers, it opens a whole new arena of war with untoldconsequences.


Speaking last week on the sidelines of a security conference, Eugene Kaspersky,founder of Kaspersky Lab, which found the Flame virus, said, “”Cyber weaponscan replicate, and there could be random victims anywhere around the globe, itdoesn’t matter how far you are from the conflict,” he said. “It’s not cyberwar, it’scyberterrorism and I’m afraid it’s just the beginning of the game. “


It is not that the US is not aware of it. In 2000 itself, it stated in its StrategicDoctrine – Pentagon’s “Joint Vision 2020,” of full spectrum dominance. It speaksof full spectrum dominance as involving not just four – space, sea, land, air – asstated earlier but the fifth dimension as well:informationor cyberspace. Italso made clear that any cyber attack on its vital infrastructure would beconsidered an act of war and would invite physical retaliation. “If you shut downour power grid, maybe we will put a missile down one of your smokestacks,” asquoted by the Wall Street Journal.


In May 2010 the Pentagon set up its new U.S. Cyber Command (USCYBERCOM),which it is now seeking to elevate to be on par with other Commands anddirectly under the Commander-in-Chief. It also put in place laws NationalDefence Authorization for Fiscal Year 2012 the following:




Congress affirms that the Department of Defense has the capability,and upon direction by the President may conduct offensive operationsin cyberspace to defend our Nation, Allies and interests,…

There are some restrictions on such powers but from what we have seen of theUS, its President’s powers are today virtually unlimited in terms of waging war.The Libyan military intervention was carried out without any authorisation fromthe Congress. Nor has the US recognised that attacks on civilian infrastructure,which Natanz facility is, is forbidden under International Humanitarian Law.


Kaspersky and his colleagues have estimated that the Flame virus is 20 times thesize of the Stuxnet virus and would have cost about $100 million to develop. Ithad a number of modules, including the one that would delete the virus fromthe infected machine on receiving a command from its command and controlcentres. Others have pointed out that it needed sophisticated cryptographicskills of a high order to be able to crack Microsoft’s software update protocolsand use this route to infect machines. Of course, for reasons not known,Microsoft had left this security hole in its update procedure in spite of knowingof this problem since 2008.


The Flame virus was detected when Iran reported to the International TelecomUnion (ITU) that data was getting wiped from its computers in the Oil Ministry.ITU asked Kaspersky Labs, one of the leading anti-virus companies toinvestigate, leading to the discovery of the Flame virus. Flame appears – as weknow of it today – to be stealing data from computers. It communicated with aset of computers located around the world, which acted as the command andcontrol centres, analysing which were the machines which had been infected,what kind of data it had and which were the files that should be sent back tothe command and control centres. It also had the ability to turn on mikes,record conversation, turn blue tooth devices on, record key strokes and so on.Once, the detection of Flame became public, the command & control centres, issued a command to the virus to self-destruct and went dark.

Kaspersky Lab has now reported that there are sections of code in Flame that isidentical to the code in Stuxnet, showing clearly that the same countries behindStuxnet are also the creators of Flame. In other words, Stuxnet was not just onevirus but part of a major larger attack. Earlier, another virus called Duqu, alsotargeting Iran, had been identified as a part of the Stuxnet family.


The Stuxnet virus was very specifically targeted for destroying centrifuges running in Natanz. Sanger writes in New York Times that when the US reached an agreement with Gaddafi on Libya not continuing with its nuclear weapons program, the centrifuges received from AQ Khan’s network, believed to be identical with that in Iran, was sent to the US. These were used to plan out and physically test the actual attack. The virus attacked the controls of the frequency converters of the centrifuges, and therefore the speed of the centrifuges. The controls of the frequency converters were in Siemens PLC’s, which were the specific targets of attack. On activation, the virus would speed up and slow down the centrifuge repeatedly leading to its eventual breakdown. It is estimated that about a 1,000 centrifuges out of 9,000 centrifuges were affected by Stuxnet and were taken out by Iran.


Sanger’s reports also indicates that this was a joint effort of the US and Israel. The US participants blamed the Israeli side for Stuxnet escaping into the external environment. Though Iran had the largest number of infected computers, Indonesia and India also had a number of computers infected by Stuxnet.


It has been suggested that one of the reasons of the Fukushima failure was thefailure of some of the Siemens PLC’s which might have been affected by Stuxnet,though there is no evidence that I can find of this. happening The issue is notthat Fukushima happened because of Stuxnet but when Stuxnet turned rogueand escaped into the “wild”, it exposed all machines using Siemens PLC’s tounknown dangers. Since PLC’s are in various plants including hazardous ones, theUS in attacking Iran was putting at risk a huge number of countries andinstallations. And that includes India, which had over infected 5,000 systems.


Is there international law or treaties regarding cyber war? Russia and China have both argued that space and cyber space should be treated similarly and prohibited from weaponisation. The US position is that it is too early to speak about cyber war, perhaps because they are the only ones waging it. As is well known, the US has also opposed attempts to demilitarise space, believing that it is the only one with technology and money to successfully weaponise space. The Star Wars program, which is still being pursued is an indicator that the US continues with its belief that it should dominate space as a part of its planned full-spectrum dominance. On cyber weapons, it has the same position – as long as it sees itself having an edge over others, it will continue to oppose any international treaty on cyber weapons.


The only international law we have is whether cyber attacks constitute an act ofwar under the current definition of physical attacks. While theft of data is anact of espionage and therefore can be considered as “normal” behaviour of astate, using a cyber weapon such as Stuxnet to physically damage equipmentwould constitute an act of war on par with a physical attack. There is nodifference in law whether the damage was inflicted by a direct physical attackor a targeted virus which creates the same damage. Using a virus to damagephysical equipment therefore constitutes a an act of war against Iran.


By initiating this new form of attack, the US has deliberately brought in a wholenew range of warfare and weapons into play. Where the US has led, others willsurely follow. As Kaspersky has noted, “I’m afraid that it will be the end of theworld as we know it,..I’m afraid that very soon the world will be very different.”The interconnected world of today is far more vulnerable; just as a bankingcrash in the US can take down the global economy, so can a few strategicallyconnected computers take down continental sized grids affecting multiplecountries; similarly for and global telecommunication networks. With its limitedaim of attacking Iran, the US has just made the whole world an infinitely moredangerous place for all of us.